Don’t Press Pause on Security Architecture During the COVID-19 Shutdown

As the “COVID-19 shutdown” pushes businesses into what I call “forced digitalization” – with everyone teleworking – it could be easy for IT and security professionals to become all-consumed by basic operational issues. Just keeping the Virtual Private Networks (VPNs) running can be a challenge under the unprecedented load. And architecture? “Fuggedabout! We got real work to do!”

Per my last post on the new abnormal, security leaders have 7 major classes of issues to worry about amidst the pandemic. This post focuses on the top and middle concerns in my list. We must maintain operational security. That also requires continuing forward momentum on critical architecture initiatives.

Cybercrime Pivoting and Piling On

US and UK government sources indicate that although overall cybercrime volume may not have increased dramatically (yet?), attackers are pivoting to:

Phishing, malware and ransomware distribution using coronavirus as a lure

Malicious domains registered using coronavirus-related keywords

Exploitation of vulnerabilities on new or hastily deployed remote access or remote working infrastructure and services

Compromise vulnerable home networks and conferencing apps like zoom

Is the Pandemic Crisis Atmosphere Impacting Cybersecurity Operations?

Staff, managers, and companies are at risk of letting their guard down amidst all the distractions of government shutdown orders and supplier disruptions. That would be a mistake. Now is a good time to phish test users. If you haven’t patched the VPN or remote access infrastructure, the threat intel on nation state attacks from as far back as October suggests doing it ASAP.

Amidst the stress of constant change, don’t get sloppy. Don’t neglect important habits, or activities, such as change management. Maintaining the habit of reviewing logs is also important to detect compromised systems or precursors to compromise. See my separate post about “Keeping Security Teams on Track During a Pandemic.”

What about Architecture?

In the short-term, projects considered non-essential may get shut down or delayed. Security architecture projects typically involve taking a step back from tactical operations to discover the current state, assess use cases or requirements, and analyze solution alternatives. Because they aren’t “operational” these projects could get the axe.

Cutting all security architecture or process improvement projects would be a mistake too. Some of these projects are necessary to successfully manage risks by improving security operations or capabilities urgently needed in the near term.

Redefine What is Considered Strategic During Cybersecurity’s Pandemic Crisis

Consider projects “strategic” when they enable the organization to successfully deploy a critical control and get the most “bang for the buck” on the resulting risk reduction.

Architecture projects can deliver the context and decision support required for pressing operational security projects by defining:

Decision support frameworks for the use cases you need

Target state architecture and design principles

Good practices for deployment

Roadmap for implementation

Caveat: With businesses still in crisis mode, architecture projects must not be too heavy on the discovery and analysis. They should be conducted using rapid or agile methodologies, and they can’t require the proverbial planeload of consultants.

Example: Cloud Identity Modernization

The mass shift to remote working accelerates the push to cloud services. According to one Gartner survey, executives plan to keep more employees out of physical offices even after the pandemic passes. But businesses can’t always “lift and shift” IT systems or business applications to the cloud. That’s because many of these systems are integrated with each other and with on-premise systems in complex ways.

The key to enabling the transition to cloud is to also modernize business’s identity and access management (IAM) infrastructure to support cloud-based multi-factor authentication (MFA), directory services, and privileged access management (PAM). (By the way, I’ve built up quite a little library on “cloud PAM” at this link).

Businesses can stand up cloud identity services alongside existing premise based IAM systems during the transition so as not to break inhouse applications. Then enable user-facing cloud services through identity-as-a-service (IDaaS) providers and cloud PAM solutions. This gets the new systems working sooner and in a more scalable way. It loosens the dependency on aging premise-based IAM infrastructure over time. This approach can also help businesses evolve a limited office VPN remote access deployment toward a more versatile zero trust model.

Bottom Line

As part of our Security Architects Partners IAM portfolio, we can typically develop a Cloud Identity Strategy and Roadmap for customers in four to eight weeks. Consider going forward with these types of projects even in times of crisis and belt-tightening. Otherwise, cost overruns and delays will trip up your operational projects and longer term technical debt or risk will come back to haunt the business.

We founded and ran the Burton Group identity management and security consulting practices closely-mapped to Reference Architecture decision support frameworks. After performing hundreds of engagements for Global 1000 companies, universities and government entities we now bring our expertise and industry connections to Security Architects Partners and its clients.

Our mission is to deliver high-quality security consulting and education services to enterprise security clients within commercial organizations, higher-education, government and solution provider environments through a team of expert and trusted security architects.